Anti-Money Laundering, Privacy Requirements Can Co-Exist

Anti-Money Laundering, Privacy Requirements Can Co-Exist

By Edward McEneely

A recent Section of Business Law-sponsored CLE program, “Privacy and Anti-Money Laundering: An Oxymoron?” described the challenges of navigating the conflicting guidance and legal requirements relating to anti-money laundering efforts and privacy requirements. The program also provided operational tips on managing those requirements, and some scenarios that may arise because of the tension between the two sets of rules.

Andrew Smith—a partner at Morrison & Foerster LLP—urged that an organization take a holistic view of high-risk customers, across the enterprise, when it comes to AML efforts and suspicious activity reporting, and also spoke about sharing restrictions on consumer information that are in place in the United States.

Catherine Brown, managing director, Treliant Risk Advisors, echoed Smith’s advice about taking a holistic view, noting though that the AML and privacy risk management functions within an organization are generally distinctly managed. They are not, however, Brown said, mutually exclusive. The key to successful risk management is strong communication and collaboration between the respective managers.

AML and privacy risk assessments are the foundation of sound risk management programs, continued Brown. These assessments should be comprehensive and reflective of their connectivity. On a programmatic level, a commitment from the board and senior management is needed to ensure that a financial institution closely scrutinizes its efforts in this regard. Appropriate resources should be designated, a culture of responsibility and accountability should be maintained, and adequate skills and expertise for the managers involved, are critical to success.

Non-bank mortgage lenders and originators that are subject to the new Financial Crimes Enforcement Network, FinCEN, should undergo a thorough assessment of their privacy programs to reflect the impact of new anti-money laundering requirements, Brown advised. The programs should be designed with integration of the management of the different risks at the forefront.

Speaking about international privacy requirements, Nancy Baran—vice president and corporate counsel with The Prudential Insurance Company of America—noted that the corporate organization of a multinational can impact which laws have jurisdiction. She said that it’s easy for U.S. companies with non-U.S. branches to run afoul of data privacy laws in other countries. Creating a unified compliance program—and this does not mean a uniform program—is possible for all affiliates, whether United States or those domiciled outside the U.S. Rather, unified means having similar processes to identify and resolve AML issues, with each program reflecting local law and cultural differences, such as a country that is more of a cash society than others.

Lisa Belle—with Barclays Wealth Americans, Financial Crime Compliance—provided an update on the Foreign Account Tax Compliance Act, which would require foreign financial institutions to collect and report U.S. account holder information, including pre-existing U.S. accounts and information on U.S.-owned foreign entities. Because of the concerns that this would raise in countries that have a greater propensity to protecting data, the United States has proposed a government-to-government framework in some cases. Through this system, banks in other nations would report information to their own governments, which would then turn the data over to the United States.

Several scenarios and the questions they raise were also laid out by Belle, including:

Privacy issues that have crossed over to the fraud realm—for example, a client communicating with a bank via email, but whose email account has been compromised;

A foreign client’s payment clearing to the affiliate in the United States, but when the U.S. bank reviews and asks for additional data on the person submitting the payment, the foreign bank refuses to provide the data so the payment must be rejected;

A privacy officer not understanding AML legal requirements; and

Using an email for “approval” documentation, but that email containing client data crossing jurisdictions.